VDB

DEBIAN-CVE-2026-0994

DEBIAN-CVE-2026-0994 PUBLISHED CVSS 7.5 HIGH

A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python’s recursion stack and causing a RecursionError.

Risk Scores

CVSS 3.1
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products

VendorProductVersions
Debian:11protobuf3.21.12-3, 3.21.12-4, 3.21.12-5
Debian:13protobuf4.0.0, 3.21.12-12, 3.21.12-13
Debian:12protobuf0, 3.21.12-11, 3.21.12-12
Debian:14protobuf0, 3.21.12-11, 3.21.12-13

Exploit Intelligence

…and 1 more exploits

Timeline

  • Jan 23, 2026 CVE Published
  • Apr 28, 2026 CVE Updated
Open in Interactive Console →
$ Console Community · 100/wk Open console ›